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Managing third-party risk ina changing 
regulatory environment 


The rising tide of regulatory scrutiny stemming from the 2008 financial crisis has now reached beyond banks to 
the companies that supply them. Under the broad notion that activities can be outsourced, but responsibility 
cannot, the Consumer Finance Protection Bureau (CFPB) and other regulators are holding financial institutions 
responsible not only for their own actions, but for those of their vendors and suppliers. Thus, in the past 

nine months, Capital One, Discover Card and American Express have paid a total of $525 million to settle 
complaints of deceptive selling and predatory behavior by their third-party suppliers. 


Through these actions, and others, the nature of the due diligence firms are required to conduct is expanding 
well beyond the traditional assessments for supplier, operational, and IT security risks. The rules have 

not changed entirely, but the emphasis has. Regulators are sensitive to other risks, such as strategic and 
reputational risks, that even smaller third parties can create for customers, and are critical of firms’ processes 
for monitoring these risks. 


This new regulatory thrust poses a big challenge for financial institutions, which typically have more than 
20,000 suppliers. Worse, firms often have only a limited understanding of the ways that suppliers interact with 
customers. But as they must bear the costs of suppliers’ misdeeds, financial institutions now have a strong 
incentive to broaden and deepen the way they manage these relationships. And there is also a business 

case for doing so: effective third-party management is a mainstay of good operational health and cost 
management. We have found that the current state of the art requires firms to develop or improve along the 
following six elements: 


= Acomprehensive inventory ofall third parties with whom the firm has a relationship. Many firms find 
it difficult to build this list; enterprise-wide surveys and data algorithms to reconcile data are effective tools 
that can help. 


= Acomprehensive catalog of specific customer risks to which third parties can expose the firm. 
Many institutions don’t fully understand all the risks their third parties run. A master risk register, tied to the 
issues that the CFPB is actively pursuing, can help track them down. 


= Arisk-based segmentation of the supplier base. Not all suppliers carry the same amount of risk. Firms 
need to better triage their suppliers to make sure the most effort is devoted to the highest risks. 


= Rules-based due diligence testing. Treating every supplier the same doesn’t make sense. Carefully 
designed rules can help firms focus their investigation of suppliers. 


= Adisciplined governance and escalation framework. At many firms, third-party risk management 
does not have a natural owner. Establishing one and giving that group the right decision-making powers 
is essential. 


= Integrated technology and MIS workflow process and tools. Adapting current risk IT applications 
to third-party management is tricky, and building anew one is even harder. A purpose-built off-the-shelf 
application is the right answer for many. 


Firms that have successfully built these six elements are finding that the work is yielding the expected benefits 
of lower risk costs. Just as important, they say, is the advantage of being able to present a coherent approach 
to all the key stakeholders. 


The heightened emphasis on consumer protection 


Protection of consumers’ interests dates back at least to 1968 and the Truth in Lending Act (Reg Z). But in the 
past decade, and especially since the 2008-09 financial crisis, all the major financial regulators including the 
Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, 
have taken a keener interest than ever in guarding the financial consumer from the risk of predatory behavior 

by third parties contracted by banks and other financial institutions. The Dodd-Frank Wall Street Reform and 
Consumer Protection Act created the Consumer Financial Protection Bureau, an agency charged with just 
this kind of protection. In another example, in 2012, the National Mortgage Settlement issued $25 billion in 
fines and other actions against five leading mortgage servicers, in part for missteps by their suppliers, such as 
foreclosure law firms. 


Aprimary theme of the CFPB’s work to date is that while banks and other financial institutions can outsource 
activities, they cannot outsource the responsibility of consumer protection to their third parties. Since its 
inception, the CFPB has logged more than 79,200 consumer complaints covering 33 types of issues. 
Mortgage and credit card companies have generated most of the complaints, 45 percent and 29 percent 
respectively. In its first public enforcement case, the CFPB fined Capital One $210 million to settle charges of 
deceptive marketing practices on the part of some of the company’s third-party suppliers. Soon after, Discover 
Card settled similar charges for similar amounts, and American Express agreed to pay $112 million to settle a 
CFPB action. 


Exhibit 1 The bar on third party management has been significantly raised. 


Management approach 


Traditional programs 


Focused on vendors and managed as a part of the 
procurement process 


Primarily based on vendor size resulting in lack of 
appropriate oversight for some high risk smaller 
vendors (e.g., foreclosure law firms) 


Primarily focused on financial assessment, 
business continuity and information security 


» Audit activities/ questions not focused on vendor 


specific risks 


» Scorecards primarily focused on performance 


indicators 


» Some systematic tracking or reporting of third 


party-related complaints 


= Owned by the Business or vendor management 


Decisions made typically by vendor management 

and/ or business, with limited oversight 

Process for third party related incidents not clearly 
defined which resulted in inconsistent/ inadequate 
escalation of incidents 


Focused primarily on tracking third party 
production performance data, with limited / no 
ability to track in real-time risk performance data 
Limited / No enterprise-wide workflow 
management tools to ensure consistent risk 
management ownership across BUs 


Best in class programs based on recent 
regulatory requirements 


Broader scope to include all third parties (e.g., 
including co-brand partners, joint ventures, fee- 
based or add-on services) 


Risk based segmentation, driven by the nature of 
risk the third party poses to the bank, with suitable 
controls to address the risk 


Includes assessment of compliance to regulations 
that govern the activity performed by vendor 


» Audit questions and materials based on key 
breakpoints for that third party 

» Supplemented with compliance and QC metrics to 
ensure monitoring of risks in addition to 
performance 
End-to-end process to capture, track and report 
complaints is put in place 


Involvement of independent teams (e.g., 
compliance) in oversight activities 

Decisioning by senior cross functional team 
including representatives from Legal, Compliance, 
Risk and Business 

Detailed of escalating incidents to ensure 
transparency on emerging risks and executive 
involvement where necessary 


» Comprehensive source of third party performance 
and risk based data with clear records of risk 
management owners across BUs 
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Caught on the back foot 

Our work and experience suggest that many financial institutions are under-prepared for the organizational 
and tactical implications of this regulatory change. Most firms’ vendor management programs have focused 
predominantly on risks such as business continuity, financial strength, and credit risk. The scope of regulatory 
oversight has broadened, to include not just these risks to the bank and the financial system, but also to 
consumers (Exhibit 1). 


Those risks are obscured partly by the sheer size of the supply chain. At the nation’s biggest banks and credit 
card companies, the list of third parties typically runs to more than 20,000 names; some firms might have 
50,000 suppliers. Firms are quite careful about some of these relationships, especially with large and mid-size 
suppliers; they often have dedicated teams to manage the most complex relationships. And it is true that many 
of these vendors provide paper, computers, and other innocuous goods and services. But many relationships 
are not closely managed, and some carry hidden risks. The company that molds and prints credit cards, for 
example, is also entrusted with customer data, which poses any number of privacy and security risks. 


Compounding the problem is the changing nature of third-party relationships. In today’s marketplace for 
consumer financial services, most firms have signed agreements with marketing partners, co-branding 
partners, fee-based service providers, and others, to gain access to assets and capabilities. These are 
complex arrangements in which risk-sharing is sometimes poorly specified, and some risks are unaddressed. 


In the face of these changes, the approaches that many firms use to manage third parties are proving 
insufficient, as they tend to focus on metrics of supplier performance. For example, in contracts with collection 
agencies, firms monitor call volumes and amounts recovered, and usually do not consider risk metrics Such as 
the number of customer complaints or the level of potential reputational risk to the firm. 


Excellence in third-party risk management 


As aresult, some leading banks and credit card companies are developing and embracing several best 
practices that together form a comprehensive approach to third-party risk management. Based on our work, 
we see six critical components to such a program. Many of these elements can be built in parallel. 


Acomprehensive inventory of third parties 

Collating an exhaustive list of third parties is a big undertaking. Risks cannot be assessed and mitigated until 
they are found, but most financial institutions have tens of thousands of supplier relationships. Regulators 
are expecting institutions to have an understanding of who their third parties are, as well as a detailed 
understanding how each third party interacts with the consumer and the activities it performs. 


Most firms don’t have the information needed. Supplier databases are incomplete, and some of the most 
sensitive risks often turn out to reside in some relationships that are not found in supplier databases. 
Co-branded partnership, joint ventures, sponsorships, and other similar relationships can comprise up to 
80 percent of the spending that some business units assign to suppliers. But these relationships are often 
managed in ways that emphasize commercial goals, with only asecondary focus on risk. 


Even where suppliers are known, many organizations lack fundamental information on the risks these 
companies run. There are few if any reliable sources of information on fraud allegations and convictions among 
small businesses, for example. Sometimes different business units track their suppliers in different ways, 
leading to difficulties of comparison and collation across the enterprise. Our experience suggests that best- 
in-class third-party databases include coverage of all third parties, defined as any non-customer entity with 
whom the financial institution engages in a business relationship (Exhibit 2). An enterprise-wide survey is a 
good way to get started. An effective algorithm for collating and reconciling businesses’ various data models 
can help speed the task, and reduce the time needed from 9 to 6 months. 


Exhibit 2 How regulators define the universe of third parties. 


Per the OCC, the term, “third party” includes “all entities that have entered into a business relationship” 
with the financial institution. 


Treasury 
counter- 
parties 


Out of scope (example) 


Customers 


Joint 
Ventures 


Acomprehensive catalog of third-party risks 

Third parties can expose their customers, and their customers’ customers, to a wide range of risks. Developing 
acomprehensive list of these risks and breakpoints is essential for the success of audit routines and the 
scorecards used to monitor risk. For example, if a third-party call center has a risk of agents misrepresenting 
product information to customers, the bank will monitor this specific risk in an audit (e.g., through call 
monitoring) and request regular reports on call quality and customer escalation metrics. (Exhibit 3 shows an 
example of a detailed breakpoint analysis). Naturally, the inventory of customer risks will vary across categories 
of suppliers, depending on the nature of the interaction with consumers. Higher risk categories will typically 
have 20-30 potential risks or “breakpoints.” 


Financial firms face two challenges in developing the risk catalog: identifying the relevant breakpoints for 
each category of suppliers, and determining the relative weight and importance of each breakpoint. Our work 
suggests that a master register of breakpoints and their risk weights in each category is broadly relevant to 
almost all firms, and can be adapted to the particular circumstances of individual institutions. With the help of 
the master register, this element can be built in three months. That adaptation is an essential step, as it helps 
the firm understand the true drivers of its risk, and guides its program of mitigation. 
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Exhibit 3 Tailoring oversight to third-party specific risks/breakpoints are critical for mitigation 
of risks—collections agency example. 


CALL CENTER EXAMPLE 


=b Breakpoints 
Breakpoints — examples Compliance related 


Leif intaking and Debtor outreach Account maintenance File off-boarding 
on-boarding 


=> Files not transferred/ = Dialer settings violate the => Agency takes actions => Payment is not properly => Files are not properly 


debtor information allowable hours of phone on accounts that are applied and posted transferred to other 
inputted incorrectly contact set forth in Fair Debt not within the bank’s => Debtor payment agencies and back to the 
=> Incorrect Collection Practices Act guidance or fails to get information logged bank 
segmentation of files (FDCPA) approval for actions incorrectly => Log of actions taken on 
=> Agents use abusive language => Agency fails to notify => Debtor payment programs cases is not submitted 
and misrepresent facts (e.g., the bank of actions may not be managed => Confidential information 
amount owed) - (FDCPA taken on account and correctly about debtors is not 
violation) major events (e.g., >: Sora automated completely removed from 
= Agents continue to reach out bankruptcy) payments may not be in agency 
borrowers despite written =b Verification of debt is compliant 
dispute (FDCPA) not sent to customer abe No loge payments of 
=> Agents contact borrowers in 30 days despite ida, ple ahd 
represented by attorneys Customers request unidentified payments 
(FDCPA) (FDCPA requirement) 
=b Communications to debtors 
do not refer to customer's Third party specific 
right to dispute the debt breakpoints drive focus of: 
(FDCPA) = Audit activities including 
n management and frontline 
=> Agents are not licensed in the States they operate interviews and process 
=> Agents are not properly trained on regulations on FDCPA requirements walkthroughs 
F r à = P&P reviews and controls 
=> There are no call scripts to guide agents on how to answer questions E 
=> Calls are not adequately monitored by supervisors of agents = QC tests and MIS 


monitoring 
=> Customer complaints are not escalated within agency and to the bank Results are reported for 
individual breakpoints to 


=> Customer documents and information not handled properly to protect privacy of debtors [RWSUICR ur ia kio 
are monitored 


=> Customer files are lost or not returned to bank 


Arisk-based segmentation 

With acomplete inventory of third parties and their relative risks in hand, the firm can then categorize its 
supplier relationships based on the level of risk to customers. Even a simple system of “high,” “medium,” and 
“low” risk categories can be useful. In our experience, most leading institutions have 200 to 300 high-risk 
relationships at atime, irrespective of the total number of third parties they contract. An effective segmentation 
helps the firm efficiently allocate resources, by conducting more risk and due diligence activities to higher risk 
relationships, and conducting routine and potentially automated routine reviews of its lower risk suppliers. 


We have seen firms use two approaches to assign their third parties to risk tiers. In the score-based approach, 
the firm conducts due diligence across all dimensions, and uses the results to develop a composite risk score. 
While very thorough, the approach can be onerous and resource-intensive for many organizations. In a rules- 
based approach, the firm defines some rules or criteria tied to breakpoints to streamline the assignment to a 
risk category. This approach is about 40 to 60 percent faster than a score-based approach, as it entails only 
the risk assessment and due diligence activities needed (Exhibit 4). 


Designing the approach can take 2 to 3 months, and refining it and testing it with business leaders another 
month or two. Given these requirements, leading institutions invest heavily in getting the design right; typically 
they identify a core team of risk experts to drive the design, the fine-tuning, and the implementation. 


Exhibit 4 A systematic risk assessment process should drive tailored diligence and control. 


CREDIT CARD EXAMPLE 

Question: Does the proposed 
service/ activity involve ... 
=... access to customer, Due Diligence Risk Tier and Due 

employee, or merchant PII? Risk Assessment Questions Activities Diligence Method Examples 
=... material risk to earnings or = High Risk: On-site = Collections 

capital? High- testing of customer = Fee-based 
=... performance of a Critical “Type of Touch oe tion ei es 

Business Function by third interaction? security and other 

5 process controls 

party? 4 
= ... speaking to customers, à Low- = High Risk: SSAE "= Servicing 

employees, merchants? ‘ : K me | Touch 16 (or equivalent) (providing 
z peak witi ; ~ >400k report review or info) 

... access to Intellectual customers?” Nowst er ere 


property (e.g., technology, 


customers? document review to 


non-PIl data)? <100k 
poe KS gain assurance 
=... activities such as: | over process 
- Cash transactions? controls 
— Involvement with Oe Low Risk: Limited = Direct mail 
competitor? Marketing or” document review = Email 


— Unlawful activities? No SY 
=... third party helping to initiate 
transactions on behalf of or an 
effect on accounting processes 
or financial reporting 
processes? Guidelines for “Type of Interaction” 
= High-touch interactions can include marketing/ sale of products or services, including extension of 
credit, collections 


Proceed to next panine 


question 


= Low-touch interactions can include non-marketing activities, such as providing information 
a Marketing and advertising is defined as outreach interactions with the specific intent to influence the 
customer/employee/merchant to contract with FIRM 


Rules-based due diligence testing 

With the shift in regulatory emphasis, the nature of the due diligence required is becoming increasingly 
rigorous. Traditional approaches match a set of diligence activities to the level of risk identified by the risk- 
based segmentation. A supplier in the high-risk category receives the full treatment of all available diligence 
investigations. As discussed above, this tends to be overly onerous and resource intensive. 


Here too the rules-based approach can be a better answer, because it triggers the right set of diligence activities 
for the risks identified. For example, even if a third party is deemed high risk, if it does not hold customer 

PII (personal identifiable information), there is no reason to conduct an information security or data privacy 
screening. We have found that the rules-based approach can save up to 40 percent in time and labor costs. 


Disciplined governance and escalation process 

Creating organizational alignment is particularly important in the new emphasis on broad and deep third- 
party management, where decision-making rights are spread across businesses and functions such as 
procurement, compliance, operational risk management, and others. Establishing upfront the structures and 
processes to address misalignments will enable a timely resolution of challenges when they arise. 


Governance can be either centralized or decentralized; both approaches, and some hybrids of the two, 

can be successful (Exhibit 5). The centralized model, naturally, keeps most major decisions (such as risk 
“tiering” and due diligence activities) within a single group, Such as procurement or a shared services team. 
While this approach yields a clear and accountable owner, it can sometimes generate tension between the 
business units that “own” the working relationship with the third party and the centralized body accountable 
for risk assessments. 


A decentralized model lets the business units that own the relationship also manage the risk. This too has 
its drawbacks; it can sometimes result in duplication of resources (for example, a major third-party supplier 
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Exhibit 5 Consumer risk can be governed within the existing committee structure or by creating 
a new committee. 


ILLUSTRATIVE 


Model 1: Consumer risk is escalated via existing J Model 2: Consumer risk is escalated via new 
committee structure committee structure 


Existing operational risk / Existing operational Consumer 
compliance committee risk & compliance risk 


Consumer risk committee committee 


= Avoids duplication of similar committees = Ensures that consumer risk is prioritized 
requiring senior executive time = Communicates the importance of consumer risk 

= Mitigates opportunity for contradictory guidance to the organization 

= Requires less change management = Typically expedites the escalations process 


might be assessed by several business units for very similar contracts and relationships). And a decentralized 
approach can see inconsistent application and misalignment of risk standards between, say, procurement and 
operational risk. Ahybrid approach, carefully tailored to the organizational context, can help mitigate potential 
Challenges of the other two models, but must be monitored closely to ensure lines of risk ownership are not lost. 


An escalation framework is needed to resolve disagreements and challenges that exceed the decision-making 
limits set out in the governance structure (Such as requests for exception, and resolution of third-party breach). 
While most organizations have an operational risk management group, its governance model and mandate 
might not be sufficient to address the additional volume of third-party issues. In our experience, leading 
financial institutions are choosing to assign new responsibilities to standing committees rather than create new 
ones to support third-party escalations. Each organization must find an appropriate approach given its risk 
appetite and culture. 


Designing the governance model and escalation framework can take up to six months; expect to spend 
another six months to “stand it up” in the organization. 


Integrated management reporting and workflow process and tools 

Clear, actionable management reports and well-designed workflow systems are essential for accountability 
across the first line of defense (the business units), as well as the second (compliance) and third (audit). To work 
well, these tools must track and monitor all the relevant data, of course, but more importantly they must do two 
other things: aid workflow not just within but across business units; and give managers the right information 

to get a true picture of risk, in near-real time, and recommendations to act on it. In our experience, most 
organizations currently have tools that address one or two of these functional needs, but to our knowledge 
none has a single tool that performs all three functions. 


Building a new third-party risk application from scratch is of course a big undertaking; so too is enhancing 
acurrent risk tool to do the new jobs. Firms should prepare for the project with a strong, dedicated team, 
and budget 3 to 6 months. One solution that some firms are using is an off-the-shelf workflow and risk 
management tool that can be easily customized to the organization’s specific needs. 


eee 
= Dowehaveasingle repository of all third parties (including traditional suppliers such as IT call centers, 


co-brand partners, fee-based services, joint venture partners, distribution partners)? If not, what will it take 
to build one? 


= Do we have an inventory of due diligence tests? Are they clearly defined, with owners for each of due 
diligence tests, and with adequate training for the associates performing the test? 


m Arethe processes and standards consistent across BUs? Is there a robust governance and escalation 
framework? 


= Dowehavean effective risk-based segmentation (e.g., are small collection agencies appropriately 
categorized as high risk)? 


= Do we actively monitor third parties for compliance to regulations that govern their activities? For example, 
do we audit calls made by call centers, review their internal policies, audit their operations to ensure 
adherence to letter and spirit of regulations? Do we have decent workflow tools to help with this? 


= Dowehave adequate documentation and an up-to-date narrative to demonstrate progress to the 
regulators? 


The answers to these questions will determine the nature, length and required resources for the 
transformation. 


John Walsh is a senior adviser to McKinsey & Company in the Washington, DC, office and former head of 
the OCC. Hamid Samandariis a director, Dmitry Krivin is an associate principal, and Emily Yueh is an 
engagement manager, all in McKinsey’s New York office. 
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